Skip to main content

Sound and Precise Cross-Layer Data Flow Tracking

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNSC,volume 9639)


We connect runtime monitors for data flow tracking at different abstraction layers (a browser, a mail client, an operating system) and prove the soundness of this generic model w.r.t. a formal notion of explicit information flow. This allows us to (1) increase the precision of the analysis by exploiting the high-level semantics of events at higher levels of abstraction and (2) provide system-wide guarantees at the same time. For instance, using our model, we can soundly reason about the flow of a picture from the network through a browser into a cache file or a window on the screen by combining analyses at multiple layers.


These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This is a preview of subscription content, log in via an institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions


  1. 1.

    Let m be a function of type \(S\rightarrow T\) and \(X \subseteq S\). \(m'=m[x \leftarrow expr ]_{x \in X}\) indicates a function \(S\rightarrow T\) such that \(m'(y) = expr \) for any \(y\in X\) and \(m'(y)=m(y)\) otherwise.


  1. Austin, T.H., Flanagan, C.: Efficient purely-dynamic information flow analysis. ACM Sigplan Not. 44(8), 20–31 (2009)

    Article  Google Scholar 

  2. Biswas, A.K.: Towards improving data driven usage control precision with intra-process data flow tracking. Master’s thesis, Technische Universität München (2014)

    Google Scholar 

  3. Chin, E., Wagner, D.: Efficient character-level taint tracking for java. In Proceedings of the ACM Workshop on Secure Web Services, pp. 3–12 (2009)

    Google Scholar 

  4. Chow, J., Pfaff, B., Garfinkel, T., Christopher, K., Rosenblum, M.: Understanding data lifetime via whole system simulation. In: USENIX Security (2004)

    Google Scholar 

  5. Crandall, J.R., Chong, F.T.: Minos: control data attack prevention orthogonal to memory model. In: Proceedings MICRO37, pp. 221–232. IEEE (2004)

    Google Scholar 

  6. de Amorim, A.A., Dénes, M., Giannarakis, N., Hritcu, C., Pierce, B.C., Spector-Zabusky, A., Tolmach, A.: Micro-policies (2015)

    Google Scholar 

  7. Demsky, B.: Cross-application data provenance and policy enforcement. ACM Trans. Inf. Syst. Secur. 14(1), 1–22 (2011)

    Article  Google Scholar 

  8. Enck, W., Gilbert, P., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: USENIX OSDI (2010)

    Google Scholar 

  9. Goguen, J.A., Meseguer, J.: Security policies and security models. In: IEEE Symposium on Security and Privacy (1982)

    Google Scholar 

  10. Harvan, M., Pretschner, A.: State-based usage control enforcement with data flow tracking using system call interposition. In: NSS (2009)

    Google Scholar 

  11. Kim, H.C., Keromytis, A.D., Covington, M., Sahita, R.: Capturing information flow with concatenated dynamic taint analysis. In: ARES (2009)

    Google Scholar 

  12. Krohn, M., Yip, A., Brodsky, M., Cliffer, N., Kaashoek, M.F., Kohler, E., Morris, R.: Information flow control for standard OS abstractions. In: SOSP (2007)

    Google Scholar 

  13. Kumari, P., Pretschner, A., Peschla, J., Kuhn, J.-M.: Distributed data usage control for web applications: A social network implementation. In: Proceedings of the First ACM Conference on Data and Application Security and Privacy, CODASPY 2011, pp. 85–96. ACM (2011)

    Google Scholar 

  14. Lörscher, M.: Usage Control for a Mail Client. Master thesis, TU Kaiserslautern (2012)

    Google Scholar 

  15. Lovat, E.: Cross-layer Data-centric Usage Control. Ph.D. thesis, Technische Univesität München (2015)

    Google Scholar 

  16. Lovat, E., Fromm, A., Mohr, M., Pretschner, A.: SHRIFT system-wide hybrid information flow tracking. In: Federrath, H., Gollmann, D., Chakravarthy, S.R. (eds.) SEC 2015. IFIP AICT, vol. 455, pp. 371–385. Springer, Heidelberg (2015). doi:10.1007/978-3-319-18467-8_25

    Chapter  Google Scholar 

  17. Lovat, E., Ochoa, M., Pretschner, A.: Sound and precise cross-layer data flow tracking. Technical Report TUM-I1629, Technische Universität München, January 2016.

  18. Muniswamy-Reddy, K., Braun, U., Holland, D.A., Macko, P., Maclean, D., Margo, D., Seltzer, M., Smogor, R.: Layering in provenance systems. In: USENIX (2009)

    Google Scholar 

  19. Pretschner, A., Lovat, E., Büchler, M.: Representation-independent data usage control. In: Garcia-Alfaro, J., Navarro-Arribas, G., Cuppens-Boulahia, N., de Capitani di Vimercati, S. (eds.) DPM 2011 and SETOP 2011. LNCS, vol. 7122, pp. 122–140. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  20. Rasthofer, S., Arzt, S., Lovat, E., Bodden, E.: Droidforce: Enforcing complex, data-centric, system-wide policies in android. In: ARES (2014)

    Google Scholar 

  21. Smith, G.: On the foundations of quantitative information flow. In: Alfaro, L. (ed.) FOSSACS 2009. LNCS, vol. 5504, pp. 288–302. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  22. Suh, G.E., Lee, J.W., Zhang, D., Devadas, S.: Secure program execution via dynamic information flow tracking. In: ACM SIGARCH (2004)

    Google Scholar 

  23. Volpano, D.: Safety versus secrecy. In: Cortesi, A., Filé, G. (eds.) SAS 1999. LNCS, vol. 1694, p. 303. Springer, Heidelberg (1999)

    Chapter  Google Scholar 

  24. Volpano, D., Smith, G.: A type-based approach to program security. In: Bidoit, M., Dauchet, M. (eds.) CAAP 1997, FASE 1997, and TAPSOFT 1997. LNCS, vol. 1214, pp. 607–621. Springer, Heidelberg (1997)

    Chapter  Google Scholar 

  25. Wüchner, T., Pretschner, A.: Data loss prevention based on data-driven usage control. In: 23rd IEEE International Symposium on Software Reliability Engineering (ISSRE), pp. 151-160, November 2012

    Google Scholar 

  26. Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: Capturing system-wide information flow for malware detection and analysis. In: CCS (2007)

    Google Scholar 

  27. Zhang, Q., McCullough, J., Ma, J., Schear, N., Vrable, M., Vahdat, A., Snoeren, A.C., Voelker, G.M., Savage, S.: Neon: System support for derived data management. SIGPLAN Not. 45(7), 63–74 (2010)

    Google Scholar 

  28. Zhu, Y., Jung, J., Song, D., Kohno, T., Wetherall, D.: Privacy scope: A precise information flow tracking system for finding application leaks. Technical Report UCB/EECS-2009-145, EECS Department, University of California, Berkeley, October 2009

    Google Scholar 

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Martín Ochoa .

Editor information

Editors and Affiliations



A Serialized Events

Let \(t^S(e):\mathcal {E}\rightarrow \mathbb {N}\) and \(t^E(e):\mathcal {E}\rightarrow \mathbb {N}\) be two functions that return, respectively, the time at which a certain event e starts and ends. In the context of multiple layers, we assume that for any event \(e_\dagger \in \mathcal {E}_\dagger \) it holds that \(e_\dagger \) terminates only after starting (\(t^S(e_\dagger )<t^E(e_\dagger )\)) and that for every event e observed, the single layer monitors report an event \(e^{S}\) at time \(t^S(e)\) to notify the beginning of e and an event \(e^{E}\) at time \(t^E(e)\) to notify its end. In concrete implementations it is usually possible to observe or approximate these two aspects of any event.

For \(\dagger \in \mathcal {L}\), let \({\mathcal {E}^{-}_{\dagger }}\subseteq \mathcal {E}_\dagger \times \{S,E\}\) be the set of such indexed events that denote when events in \(\mathcal {E}_\dagger \) start and end. Let \( ser :seq(\mathcal {E}_\dagger ) \rightarrow seq({\mathcal {E}^{-}_{\dagger }})\) the operator that converts a trace of events \(t_\dagger \in seq(\mathcal {E}_\dagger )\) into its indexed equivalent \(t^{-}_\dagger \in seq({\mathcal {E}^{-}_{\dagger }})\) by replacing every event \(e_\dagger \in t_\dagger \) with the sequence \(\langle e^S_\dagger , e^E_\dagger \rangle \).

Lemma 1

For each monitor \(\mathcal {R}_\dagger \) (\(\dagger \in \mathcal {L}\)), there always exists a monitor \(\mathcal {R}^{-}_\dagger :\varSigma _\dagger \times {\mathcal {E}^{-}_{\dagger }} \rightarrow \varSigma _\dagger \) such that \(\forall \sigma _\dagger \in \varSigma _\dagger , \forall t_\dagger \in seq(\mathcal {E}_\dagger ): \mathcal {R}_\dagger (\sigma ,t_\dagger )=\mathcal {R}^{-}_\dagger (\sigma , ser (t_\dagger ))\).


Given \(\mathcal {R}_\dagger \), the monitor \(\mathcal {R}^{-}_{\dagger }\), defined as \(\mathcal {R}^{-}_{\dagger }(\sigma ,(e_\dagger ,i))=\sigma \) if \(i=S\) and \(\mathcal {R}^{-}_{\dagger }(\sigma ,(e_\dagger ,i))=\mathcal {R}_\dagger (\sigma ,e_\dagger )\) if \(i=E\), respects the property. \(\quad \square \)

It is hence safe to assume, without loss of generality, that every monitor for a layer \(\dagger \) is defined over events in \({\mathcal {E}^{-}_{\dagger }}\). We denote such a monitor \(\mathcal {R}^{-}_{\dagger }\).

Definition 9

(Serializable Trace). A trace \(t=(t_A,t_B)\) is serializable if for every pair of events \(e_A\in t_A, e_B\in t_B\), \(t^S(e_A)\not =t^S(e_B)\) and \(t^E(e_A)\not =t^E(e_B)\).

Let \(\mathcal {E}_{A \otimes B}=\mathcal {E}_A\cup \mathcal {E}_B\) and \({\mathcal {E}^{-}_{{A \otimes B}}}=\mathcal {E}_{A \otimes B}\times \{S,E\}\). If a trace \(t=(t_A,t_B)\in seq(\mathcal {E}_A)\times seq(\mathcal {E}_B)\) is serializable, then it is possible to construct a trace \(t^{-} \in seq({\mathcal {E}^{-}_{{A \otimes B}}})\) that is equivalent to t, in the sense that it is possible to reconstruct each one given the other. \(t^{-}\) is given by the events in \( ser (t_A) \bowtie _t ser (t_B)\) sorted by timestamp. The monitor for the composed system \({\dot{\mathcal {R}}_{{A \otimes B}}}\) described in step 7 of this work assumes the trace of input events \(t=(t_A,t_B)\) to be serializable and provided as a sequence of events in \({\mathcal {E}^{-}_{{A \otimes B}}}\) (\({\dot{\mathcal {R}}_{{A \otimes B}}}:\varSigma _{{A \otimes B}}\times {\mathcal {E}^{-}_{{A \otimes B}}}\rightarrow \varSigma _{{A \otimes B}}\)).

Note that we can relax the assumption on the serializable traces because any trace of events \(t_{A \otimes B}=(t_A,t_B)\) in \({{A \otimes B}}\) can be seen as longest possible concatenation of subtraces \(t_i=(t_{iA},t_{iB})\), such that any event starting in \(t_i\) also terminates within \(t_i\) and viceversa and such that \((t_{1A}::t_{2A}::..::t_{nA})=t_A\) and \((t_{1B}::t_{2B}::..::t_{nB})=t_B\). Then, for each \(t_i\),

$$\begin{aligned} \mathcal {R}_{{A \otimes B}}(\sigma ,t_i)=\left\{ \begin{array}{ll} {\dot{\mathcal {R}}_{(}}\sigma ,t_i) &{} \text {if}\ t_i \ \text {is serializable}\\ {\hat{\mathcal {R}}_{(}}\sigma ,t_i) &{} \text {otherwise} \end{array} \right. \end{aligned}$$

\(\mathcal {R}_{{A \otimes B}}\) is a sound monitor that is no less precise than \({\hat{\mathcal {R}}_{(}}\sigma ,t)\) and does not require t to be serializable.

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Lovat, E., Ochoa, M., Pretschner, A. (2016). Sound and Precise Cross-Layer Data Flow Tracking. In: Caballero, J., Bodden, E., Athanasopoulos, E. (eds) Engineering Secure Software and Systems. ESSoS 2016. Lecture Notes in Computer Science(), vol 9639. Springer, Cham.

Download citation

  • DOI:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-30805-0

  • Online ISBN: 978-3-319-30806-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics